This detection rule monitors for the use of open redirects specifically associated with TikTok. An open redirect occurs when an application accepts a user-controlled input that specifies a URL to which the application redirects the user. This vulnerability has been actively exploited, potentially leading to credential phishing or malware dissemination. The rule inspects inbound messages and identifies links that redirect to TikTok domains while including specific query parameters ('target=' and 'aid='), which are often indicative of malicious intent. Additional conditions filter out legitimate emails from TikTok itself that pass DMARC authentication, as well as emails from high-trust domains that may fail DMARC. The overall goal is to identify potentially harmful messages without generating false positives from trusted senders or legitimate communications from TikTok.